The “Hows and Whys” of an Incident Management Call

Recently, I had a meeting with a potential customer who was looking to invest in Tripwire’s portfolio. We got to talking about various aspects of information security—in particular, when companies discover, react to and investigate potential security breaches. The conversation took me back to when I worked in information security as a technical security manager.

When the large organisation I worked for detected an incident or suspected breach, a war room would be set up, a conference call started, and key stakeholders invited to weigh in on the incident.

Initially, nobody would have a clue what had happened and why they were on the call. But slowly, as all the facts came together, the picture would inevitably become clearer. As each department reported in on what they knew, the business impact became more apparent. While everyone was concerned, it was unlikely they knew the full extent of the exposure at that stage.

The incident manager always took charge of the call and would ask, “What systems have been impacted?” Some believed they knew, but the truth was no one really knew the full extent of the incident.

The incident manager continued, “What logs do we have that will help us understand how the breach occurred?” Logs? What logs? Surely, if we needed logs to investigate a breach, wouldn’t that mean they would have to be enabled in the first place?

Good log management practices aren’t always easy to find, however. I’ve been on incident calls where a department lead stood up and said, “We have logs turned on our systems, but they only collect the last 12 hours.” Helpful. And let’s not forget there can be logs from systems that don’t help much because the wrong log level is set.

Have you been on incident management calls and heard some of the questions and answers above? Speaking from personal experience and discussing this topic with other security professionals, I’ve found plenty who have. It’s no laughing matter, though. The organization’s security is at stake, and without adequate details of a breach, security teams have little hope of containing or responding to an incident.

By contrast, imagine how great it would be if the information security manager spoke up during the call and said, “Fileservers alpha, bravo and delta were impacted. A number of critical operating system DLLs were altered last night at 04:10 on all three servers, which caused app-service-a and app-service-b to stop functioning at 04:12. One of the altered DLLs tested positive as malicious software. Oh, and by the way, I know the name of the user who made these changes.” But without the proper logs available, how does the security manager know this information?

The answer is from a solution that can identify changes to files and systems as well as pinpoint the user who made those modifications—a malicious employee could have hit the servers.

Through integration with Threat Intelligence providers, the solution should be able to validate the change by querying the provider if the file is a known threat or malicious, and if unknown, be able to submit the sample to the provider for analysis. And through integration with ticketing systems, changes can be validated to see if they occurred within change control.

If you have this kind of solution, do you still need logs? Absolutely. It’s vital that logging is enabled on your applications, operating systems and network devices, and that logs are transmitted to a central log aggregator tool. By applying correlation rules (intelligence) to logs, a system administrator can identify how the breach in question occurred and look for patterns that occurred before and during the breach, such as high number of failed logins.

Great. So are there file integrity monitoring solutions out there that do everything described above? There sure are. Tripwire Enterprise is capable of monitoring critical systems like network devices, databases, directory services and virtual infrastructures for changes in real time.

So the next time you get invited to an incident management call, don’t just think about the “hows and whys” of incident management. Consider adding that extra layer of security by investing in Tripwire Enterprise File Integrity Monitoring.